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1 Introduction 


The method used for specifying the parallel data lines of a hardware device is fundamental to 
any hardware verification. These lines consist of an ordered set of 0’s and l’s, usually called 
bits. The ordered set of bits is referred to as a bitvector. Although a human reader of a 
circuit design automatically “interprets” these bitvectors as natural numbers, 2’s complement 
integers, characters, or some other encoded object, a formal model must explicitly account 
for these interpretations. For example, if bv is a bitvector, a function, say bv2nat, must be 
applied to bv in order to convert it to a natural number, i.e. bv2nat (bv) . 

The bitvectors library has been developed for PVS [1, 2, 3, 4, 5, 6] with several goals in 
mind: 

• All of the common functions that interpret and operate on bitvectors should be defined 
in a maimer that is simple and reusable. 

• The library should not introduce new axioms. In this way the library will be consistent 
if PVS is consistent. 

• The library should provide a complete set of operators on bit-vectors that hide the 
particular bitvector implementation used. Thus, if the definition of the bitvector type 
were change from its current functional form to another form (e.g., a list form), the 
interface to the user would remain the same. 

• The library should be organized in a manner that supports a variety of hardware, 
without imposing a heavy overhead. In other words, specific parts of the library should 
be accessible without being exposed to extraneous definitions. 

• The library should facilitate the connection to different hardware design tools. 

Similar libraries have been constructed for many other systems including the Boyer-Moore 
theorem prover [7] and the Cambridge Higher Order Logic (HOL) system [8]. 

The bitvectors library is available via the World Wide Web at 

http : // atb-www . larc . nasa . gov/f tp/larc/PVS-library/ 
in the file bitvectors .dmp. 

2 Fundamental Definition of a Bitvector 

There are several methods one could use to define a bitvector in PVS. Three reasonable 
candidates are: 

• a list of bits 

• a finite sequence of bits 

• a function from {0,1,2, ..,N-1} into {0,1}. 
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The third method has been used in this library. A bit is defined as: 
bit : TYPE = {n: nat | n <= 1} 
and a bit-vector is defined as 

bvec : TYPE = [below(N) -> bit] 

Thus the type bvec is a function from below(N) to bit. The domain of the function is 
specified using the type below which is predefined in the PVS prelude as: 

below(i) : TYPE = {s: nat I s < i} 

The symbol N is a constant natural number representing the length of the bitvector. It is 
imported into the basic theory using PVS’s theory parameterization capability: 

bv [N : nat]: THEORY 
BEGIN 

bit : TYPE = {n: nat | n <= 1} 

bvec : TYPE = [below(N) -> bit] 

END bv 

This definition allows the use of empty bitvectors, which is primarily useful when using the 
concatenation operators defined in a subsequent section. 

A bitvector of length N is defined as follows: 

bv: VAR bvec[N] 

and the ith bit can be retrieved in two ways: bv(i) or bv“i. The latter method has the 
advantage that it is implementation independent. The * operator is defined as follows: 

“(bv: bvec, (i: below(N))): bit = bv(i) 


3 Natural Number Interpretations of a Bitvector 

A bitvector is interpreted as a natural number through use of a function named bv2nat. 
This function is defined as follows: 

bv.nat [N : nat] : THEORY 
BEGIN 

IMPORTING bv [N] , exp2 
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bv2nat_rec(n: upto(N), bv:bvec): RECURSIVE nat = 

IF n = 0 THEN 0 

ELSE exp2(n-l) * bv‘(n-l) + bv2nat_rec(n - 1, bv) 

END IF 
MEASURE n 

bv2nat(bv:bvec) : below(exp2(N) ) = bv2nat_rec(N, bv) 

where exp2 is the power of 2 function defined in the exp2 theory: 

exp2(n: nat): RECURSIVE posnat = IF n = 0 THEN 1 ELSE 2 * exp2(n - 1) END IF 
MEASURE n 

The bv2nat function returns a natural number that is less than 2^. Note that this fact is 
contained in the type of the function 1 . The bv2nat function is defined in terms of a recursive 
function bv2nat_rec. The function bv2nat_rec is equivalent to 

n— 1 

bv2nat_rec(n, bv) — T, 2'bv-i 

t=0 

Note that this definition designates that the Oth bit is the least significant bit and the N-l 
bit is the most significant bit. 

The bv2nat function is bijective (i.e. is a one-to-one correspondence): 
bv2nat_bij : THEOREM bijective?(bv2nat) 
and thus an inverse function nat2bv exists: 

nat2bv(val:below(exp2(N))) : bvec = inverse (bv2nat) (val) 

Thus, the following relationship exists between these functions: 
bv2nat_inv : THEOREM bv2nat(nat2bv(val)) = val 


4 Bitwise Logical Operations on Bitvectors 

The bitwise logical operations on bitvectors are defined in the bv_bitwise theory as follows: 

x The PVS system provides a powerful type theory that is heavily exploited in this library. We have 
deliberately packed as much information as possible into the types of the functions. This provides two major 
benefits: (1) The information is automatically available in proofs, and (2) many theorems can be stated 
concisely, without explicit contraints. 
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i: VAR below (N) 


0R(bvl ,bv2: bvec[N]) : bvec = (LAMBDA i: bvl(i) OR bv2(i)); 

AND(bvl,bv2: bvec[N]): bvec = (LAMBDA i: bvl(i) AND bv2(i)) ; 

IFF(bvl ,bv2 : bvec[N]): bvec = (LAMBDA i: bvl(i) IFF bv2(i)) ; 

N0T(bv: bvec [N] ) : bvec ■ (LAMBDA i: NOT bv(i)) ; 

X0R(bvl ,bv2: bvec[N]): bvec = (LAMBDA i: X0R(bvl(i) ,bv2(i))) ; 

If the user wishes to avoid the use of the underlying bitvector implementation, the following 
lemmas can be used rather than expanding these functions: 

bv, bvl, bv2: VAR bvecfN] 

bv_0R : LEMMA (bvl OR bv2)"i = (bvl“i OR bv2~i) 
bv_AND : LEMMA (bvl AND bv2)”i = (bvl“i AND bv2“i) 
bv_IFF : LEMMA (bvl IFF bv2)“i = (bvl'i IFF bv2~i) 
bv.XOR : LEMMA X0R(bvl ,bv2) ~i = X0R(bvl~i ,bv2~i) 
bv.NOT : LEMMA (NOT bv)“i = NOT(bVi) 

5 Bitvector Concatenation 

The concatenation operator o on bitvectors is defined in the bv.concat theory as follows: 

bv.concat [n:nat, m:nat ]: THEORY 
BEGIN 

o(bvn: bvec[n], bvm: bvecfm]): bvec[n+m] = 

(LAMBDA (nm: below(n+m) ) : IF nm < m THEN bvm(nm) 

ELSE bvn(nm - m) 

ENDIF) 

The result of concatenating a bitvector of length n with a bitvector of length m is a new 
bitvector of length n+m. The zero-length bitvector is the identity. The following theorems, 
which establish that the triple (bvec, o, null_bv) is a monoid, are proved in the theory 
bv_concat_lems. 
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null_bv: bvec[0] zero-length bit-vector 

concat_identity_r : LEMMA (FORALL (n: nat) , (bvn : bvec [n] ) : 

bvn o null.bv = bvn) 

concat_identity_l : LEMMA (FORALL (n: nat), (bvn : bvec [n] ) : 

null.bv o bvn = bvn) 

concat.associative : LEMMA (FORALL (m,n,p: nat), (bvm : bvec [m] ) , 

(bvn : bvec [n] ) , (bvp:bvec[p] ) : 

(bvm o bvn) o bvp = bvm o (bvn o bvp)) 

The bv_concat_lems theory also provides a lemma not_over_concat 

not_over_concat : LEMMA (FORALL (n: nat), (a,b: bvec[n]): 

(NOT (a o b)) = (NOT a) o (NOT b)) 

that shows that NOT distributes over the o operator and a lemma bvconcat2nat that provides 
the result of applying bv2nat to a concatenated bitvector: 

bvn: VAR bvec[n] 
bvm: VAR bvec[m] 
nm: VAR below (n+m) 

bvconcat2nat : THEOREM bv2nat [n+m] (bvn o bvm) 

= bv2nat [n] (bvn) * exp2(m) + bv2nat [m] (bvm) 


6 Extraction Operator 

The operator “ (i , j ) extracts a contiguous fragment of a bitvector between two given posi- 
tions. 

~(bv: bvec[N], sp:[il: below(N) , upto(il)]): bvec[proj_l(sp)-proj_2(sp)+l] = 
(LAMBDA (ii: below(proj_l(sp) - proj_2(sp) + 1)): 
bv(ii + proj_2(sp))) ; 

Although the definition looks formidable, the behavior is quite simple. The first argument is 
a bitvector of length N. The second argument designates the subfield that is to be extracted. 
For example, suppose bv = (t ,u, v,w,x,y ,z) with z as the least significant bit. Then, 
bv“(4,2) is the bitvector of length 3 that contains the bits 4, 3 and 2. In other words, 
bv“(4,2) = (v,w,x). 
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7 Shift Operations on Bitvectors 

The left and shift operations on a bitvector are defined as follows: 

right_shift(i: nat, bv: bvec[N]): bvec[N] = 

IF i = 0 THEN bv 

ELSIF i < N THEN bvecOfi] o bv~(N-l, i) 

ELSE bvecO[N] END IF 

left_shift(i: nat, bv: bvec[N]): bvec[N] = 

IF i = 0 THEN bv 

ELSIF i < N THEN bv*(N-i-l, 0) o bvecO[i] 

ELSE bvecO [N] END IF 

The right_shift operation shifts a bit vector by a given number of positions to the right, 
filling 0’s in the shifted bits. The lef t_shif t operation shifts a bit vector by a given number 
of positions to the left, filling 0’s in the shifted bits. 


8 Bitvector Rotation 

The rotation operations on a bitvector are defined in the bv_rotate theory as follows: 

- rotate_right(k: upto(N), bv: bvec[N]): bvec[N] = 

IF (k = 0) OR (k = N) THEN bv 
ELSE bv“ (k-1 ,0) o bv~(N-l, k) ENDIF 

rotate_left(k: upto(N), bv: bvec[N]): bvec[N] = 

IF (k=0) OR (k = N) THEN bv 

ELSE bv~(N-k-l, 0) o bv~(N-l,N-k) ENDIF 

The following lemmas relate the fields of the rotated bitvector with the original bitvector: 

rotate_right_lem : LEMMA rotate_right(k,bv)“i = 

IF i+k < N THEN bv“(i+k) ELSE bv~(i+k-N) ENDIF 

rotate_left_lem : LEMMA rotate_left(k,bv) ~i = 

IF i-k >= 0 THEN bv‘(i-k) ELSE bv~(N+i-k) ENDIF 

The 1-bit rotation functions are defined in terms of these as follows: 

rot_rl(bv: bvec[N]): bvec[N] = rotate_right(l,bv) 

rot_ll(bv: bvec[N]): bvec[N] = rotate_left(l ,bv) 

The rotate_right (1 ,bv) and rotate_left(l,bv) functions can also be expressed in terms 
of rot_rl and rot_ll as follows: 
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iterate.rot.rl 


: LEMMA iterate(rot_rl ,k) (bv) » rotate.right (k,bv) 


iterate_rot.ll : LEMMA iterateCrot.il ,k) (bv) » rotate.left (k,bv) 

where iterate is defined in the PVS prelude as follows: 

funct ion. iterate [T : TYPE]: THEORY 
BEGIN 

f: VAR [T -> T] 
m, n: VAR nat 
x: VAR T 

iterate (f , n) (x) : RECURSIVE T = 

IF n = 0 THEN x ELSE iterated, n-l)(f(x)) END IF 
MEASURE n 

END function.iterate 


9 Zero and Sign-Extend Operators 

The zero.extend operator expands a bit- vector of length N into a bitvector of length k filling 
the upper bits with zeros: 

zero_extend(k : above(N)): [bvec[N] -> bvecfk]] = 

(LAMBDA bv: bvecO[k-N] o bv) 

Thus, the natural number interpretation remains the same: 

zero_extend_lem : THEOREM bv2nat [k] (zero_extend(k) (bv) ) = bv2nat(bv) 

The sign. extend operator returns a function that extends a bit vector to length k by 
repeating the most significant bit of the given bit vector: 

sign_extend(k: above(N)): [bvec[N] -> bvec[k]] = 

(LAMBDA bv: IF bv(N-l) = 1 THEN bvecl[k-N] o bv 

ELSE bvecO [k-N] o bv ENDIF) 

The 2’s complement interpretation remains the same: 

sign_extend_lem : THEOREM bv2int [k] (sign_extend(k) (bv) ) = bv2int(bv) 

These higher-order functions are defined in the theory bv.extend. 

The following useful theorem has been proved about the sign .extend function: 
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sign_to_zero : THEOREM sign.extend(k) (bv) = 

IF bv(N-l) * 1 THEN NOT(zero_extend(k) (NOT(bv) ) ) 
ELSE zero_extend(k) (bv) 

END IF 


A function zero.extendJ.send is also defined to return a function that extends a bit 
vector to length k by padding 0’s at the least significant end of bvec. That is, the bv2nat 
interpretation of the argument increases by 2^“^: 

zero_extend_lsend(k: above(N)): [bvec[N] -> bvec[k]] = 

(LAMBDA bv: bv o bvecO[k-N]) 

zero_extend_lsend : THEOREM bv2nat(zero_extend_lsend(k) (bv)) 

= bv2nat(bv) * exp2(k-N) 

A higher-order function, lsb.extend, returns a function that extends a bit vector to length 
k by repeating the least significant bit of the bit vector at its least significant end. 

lsb_extend(k: above(N)): [bvec[N] -> bvec[k]] = 

(LAMBDA bv: IF bv'O = 0 THEN bv o bvecO[k-N] 

ELSE bv o bvecl [k-N] ENDIF) 

The lemmas about the extend functions are proved in the theory bv_extend_lems. 


10 Theorems Involving Concatenation and Extrac- 
tion 

The following properties of * and o are proved in the theory bv_manipulations: 

bvn: VAR bvec[n] 
bvm: VAR bvec[m] 

caret.concat.bot : THEOREM i < m IMPLIES (bvn o bvm)“(i,j) = bvm“(i,j)) 

caret_concat_top : THEOREM i >= m AND j >= m IMPLIES 

(bvn o bvm)“(i,j) = bvn“(i-m, j-m)) 

caret_concat_all : THEOREM i >= m AND j < m IMPLIES 

(bvn o bvm)*(i, j) = bvn“(i-m,0) o bvm“(m-l,j) ) 

bv.decomposition : THEOREM bvn* (n-1 ,k+l) o bvn*(k,0) = bvn 

concat .bottom : THEOREM (bvn o bvm)“((m-l), 0) = bvm 

concat.top : THEOREM (bvn o bvm)*((n+m~l) , m) = bvn 
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The first two theorems simplify formulas involving concatenation and extraction when the 
part to be extracted is completely within one of the parts being joined together. The formula 
caret_concat_all moves an extraction within the concatenation. The last two theorems are 
similar to the first two, except that the extraction involves the complete parts. 


11 2’s Complement Interpretations of a Bit vector 

The 2’s complement interpretation of a bitvector of length N enables the representation of 
integers from — 2 jV ~ 1 to 2 iV ” 1 — 1. The basic definitions for 2 5 s complement arithmetic are 
defined in the bv_int theory. 

Two constants are defined to represent the minimum and maximum values: 

minint: int = -exp2(N-l) 
maxint: int = exp2(N-l) - 1 

The range of values is defined as follows: 

in_rng_2s.comp(i : int): bool = (minint <= i AND i <= maxint) 
rng_2s_comp: TYPE = i: int I minint <= i AND i <= maxint 

The 2’s complement interpretation function, bv2int, is defined as follows: 

bv2int(bv: bvec): rng.2s.comp ■ IF bv2nat(bv) < exp2(N-l) THEN bv2nat(bv) 

ELSE bv2nat (bv) - exp2(N) END IF 

The bv2int function can also be expressed as follows: 

bv2int.lem : THEOREM bv2int(bv) = bv2nat(bv) - exp2(N) * bv(N - 1) 

The bv2int function is bijective (i.e. is a one-to-one correspondence): 

bv2int.bij : THEOREM bijective? (bv2int) 

and thus an inverse function int2bv exists: 

int2bv(val : below (exp2(N) )) : bvec = inverse (bv2int) (val) 

The following relationship exists between these functions: 

bv2int.inv : THEOREM bv2int (int2bv(iv) )=iv; 

The int2bv functions can also be translated into nat2bv as follows: 

ii: VAR rng_2s_comp 

int2bv.2nat: LEMMA int2bv(ii) ® IF ii >= 0 THEN nat2bv[N] (ii) 

ELSE nat2bv[N] (ii+exp2(N)) END IF 
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12 Bit vector Arithmetic 

An important advantage of 2’s complement arithmetic is that the + operation for the natural 
number interpretation and the 2’s complement interpretation is the same. Thus, the same 
hardware can be used for both cases. This property and others is developed in the following 
subsections. 

12.1 Definition of Arithmetic Operators 

Operations are defined to increment and decrement a bitvector by an integer in the theory 
bv_arith_nat. This operations are overloaded on the + and - symbols: 

+(bv: bvec, i: int) : bvec = nat2bv(mod(bv2nat(bv) + i F exp2(N))) ; 

-(bv: bvec.i: int): bvec = bv + (-i) ; 

The addition of two bit vectors is defined as follows: 

+(bvl: bvec, bv2: bvec): bvec * 

IF bv2nat(bvl) + bv2nat(bv2) < exp2(N) 

THEN nat2bv(bv2nat(bvl) + bv2nat(bv2)) 

ELSE nat2bv(bv2nat(bvl) + bv2nat(bv2) - exp2(N)) 

ENDIF ; 

This definition leads immediately to the following theorems: 

bv.add : LEMMA bv2nat(bvl + bv2) = 

IF bv2nat(bvl) + bv2nat(bv2) < exp2(N) 

THEN bv2nat(bvl) + bv2nat(bv2) 

ELSE bv2nat(bvl) + bv2nat(bv2) - exp2(N) ENDIF 

bv.addcomm : THEOREM bvl + bv2 = bv2 + bvl 

The first lemma provides the natural number interpretation for the + operation. The next 
theorem shows that it is commutative. Other useful lemmas about bitvector addition are 
also provided: 

k,kl,k2: VAR int 

bv_add_two_consts : THEOREM (bvl + kl) + (bv2 + k2) = (bvl + bv2) + (kl + k2) 

bv_add_const_assoc : THEOREM bvl + (bv2 + k) ■ (bvl + bv2) + k 

bv_add_2_consts : LEMMA (bv + kl) + k2 = bv + (kl+k2) 

bv_both_sides : THEOREM (bvl + bv3 = bv2 + bv3) IFF bvl = bv2 

bv_add_ assoc: THEOREM bvl + (bv2 + bv3) = (bvl + bv2) + bv3 
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The * is overloaded to represent the unsigned multiplication of two n-bit bvecs: 

*(bvl: bvec[N] , bv2: bvec[N]): bvec[2*N] 

= nat2bv[2*N] (bv2nat(bvl) * bv2nat(bv2)) ; 

This definition leads immediately to the following theorem, which provides the natural num- 
ber interpretation for the * operation: 

bv.mult : LEMMA bv2nat(bvl * bv2) = bv2nat(bvl) * bv2nat(bv2) 


The carryout function is defined as follows: 

carryout (bvl : bvec, bv2: bvec, Cin: bvec[l]): bvec[l] ■ 

(LAMBDA (bb: below(l)): 

bool2bit(bv2nat(bvl) + bv2nat(bv2) + bv2nat(Cin) >= exp2(N))) ; 

The carryout function indicates when the + operation will exceed the capacity of the bitvec- 
tor. Note that the carryout returns a bvec[l] . 

The inequalities over bitvectors are defined as follows: 

< (bvl: bvec, bv2: bvec): bool = bv2nat(bvl) < bv2nat(bv2) ; 

<=(bvl: bvec, bv2: bvec): bool = bv2nat(bvl) <= bv2nat(bv2) ; 

> (bvl: bvec, bv2: bvec): bool » bv2nat(bvl) > bv2nat(bv2) ; 

>=(bvl: bvec, bv2: bvec): bool = bv2nat(bvl) >= bv2nat(bv2) ; 

The following lemmas about the bitvector order relations are provided: 

bv.smallest : LEMMA (FORALL bv: bv >= bvecO) 
bv_greatest : LEMMA (FORALL bv: bv <= bvecl) 


12.2 Arithmetic Properties of Shifting 

The following theorems (available in bv_arith_extract) give the numerical properties of 
left and right shifting: 

ss: VAR below(N) 
bv: VAR bvec [N] 


bv_ shift : THEOREM 
bv_bottom : THEOREM 
right_shift_lem: THEOREM 
left.shift.lem : THEOREM 


bv2nat(bv~ (N-l ,ss) ) = div(bv2nat(bv) , exp2(ss)) 

bv2nat(bv~(ss,0)) = mod(bv2nat(bv) ,exp2(ss+l)) 

bv2nat(right_shift(ss,bv)) = div(bv2nat(bv) ,exp2(ss)) 

bv2nat(left_shift(ss,bv)) = 

bv2nat(bv“(N-ss-l,0))*exp2(ss) 
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The bv_shift theorem establishes that the extraction of the upper bits is equivalent to 
dividing by a power of 2 under the natural number interpretation 2 . This theorem is closely 
related to the righf-shift-lem. The by-bottom theorem establishes that the extraction 
of the lower bits is equivalent to a power of 2 mod operation under the natural number 
interpretation. 

The arithmetic right shift operator is defined in bv_arith_ shift as follows: 

arith_ shift .right (k : upto(N), bv: bvec[N]): bvec[N] 

= right.shif t_with(k , f ill [k] (bv‘(N-l)) ,bv) 

Note that it fills the upper k bits with the (N— l)st bit of the original bitvector. The following 
theorem shows the 2’s complement result of an arithmetic right shift: 

k: VAR upto(N) 

ar ith_ shift .right _int : LEMMA bv2int(arith_shift_right(k,bv)) = 

floor(bv2int(bv)/exp2(k)) 


12.3 Theorems about 2’s Complement Arithmetic 

The 2’s complement negation of a bit vector is defined in bv.arithmetic as follows: 

-(bv: bvec) : bvec = int2bv( IF bv2int(bv) = minint THEN bv2int(bv) 

ELSE -(bv2int(bv)) ENDIF ) ; 

The following property relates this operator to bv2int: 

unaryminus : LEMMA bv2int(-bv) = IF bv2int(bv) = minint THEN bv2int(bv) 

ELSE - (bv2int (bv) ) ENDIF 

The subtraction of two bit vectors is defined (in bv.arithmetic) using bitvector addition 
as follows: 

-(bvi, bv2): bvec = (bvl + (-bv2)) 

If the result is in the range of 2s complement integers, addition of two bit vectors is the same 
as for a natural number interpretation: 

intaddlem : THEOREM in_rng_2s_comp(bv2int(bvl) + bv2int(bv2)) 

IMPLIES bv2int(bvl + bv2) = bv2int(bvl) + bv2int(bv2) 

This is the relationship that enables one to use the same hardware for natural number addition 
as 2’s complement addition. 

The 2s complement of a bitvector is its l’s complement + 1: 
twos.compl : THEOREM -bv2int(bv) = bv2int(N0T bv) + 1; 

The l’s complement of a bitvector bv is the bitwise NOT, i.e. NOT bv. 

2 The div function over natural numbers is defined by div(n,m) : nat = floor (n/m) 
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13 Overflow 


Arithmetic overflow occurs when the result of an operation cannot be represented within the 
bitvector. The conditions for 2’s complement overflow are define in the bv_overf low theory: 

overf low(bvl ,bv2 ,b) : bool = (bv2int(bvl) + bv2int(bv2) + b) > maxintfN] 

OR (bv2int(bvl) + bv2int(bv2) + b) < minint [N] 

The following theorem provides the relationships between the top bits of the operands and 
the result when overflow occurs. 

overf low.def : THEOREM overf low(bvl , bv2, b) = 

((bvl * (N - 1) = bv2 ~ (N - 1)) 

AND (bvl - (N - 1) /= (bvl + bv2 + b) ~ (N - 1))) 

The following theorems define the result of bitvector arithmetic when overflow occurs: 

not_in_rng : THEOREM NOT in_rng_2s_comp(bv2int(bvl) + bv2int(bv2)) 

IMPLIES bv2int(bvl + bv2) = 

bv2nat(bvl) + bv2nat(bv2) - exp2(N) 

not_in_rng_int : THEOREM NOT in_rng_2s_comp(bv2int(bvl) + bv2int(bv2)) 

IMPLIES bv2int(bvl + bv2) = 
bv2int(bvl) + bv2int(bv2) + exp2(N) * bvl(N - 1) 

+ exp2(N) * bv2(N - 1) 

- exp2(N) 


14 Library Organization 

The top of the bitvectors library is located in the theory bv_top. It imports the following 
theories: 
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bv 

provides basic definition of bitvector type bvec 

bv_nat 

interpretes bvec as a natural number 

bv_int 

interpretes bvec as an integer 

bv_arithmetic 

defines basic operators (i.e. + - >) over bitvectors 

bv_arith_nat 

defines bitvector plus, etc 

bv_arith_ extract 

defines arithmetic over extractors 

bv_extractors 

defines extractor operator ~ that 

bv_extractors_lems 

provides lemmas about “ operator 

bv_concat 

defines concatenation operator o creates smaller bitvectors from larger 

bv_concat_lems 

establishes that concat is a monoid 

bv_constants 

defines some useful bitvector constants 

bv_manipulations 

provides lemmas concerning ~ and o 

bv_bitwise 

defines bit-wise logical operations on bitvectors 

bv_bitwise_lems 

provides lemmas about bit-wise logical operations 

bv_shift 

defines shift operations 

bv_extend 

provides zero and sign extend operations 

bv_extend_lems 

provide lemmas about extend operations 

bv_fract 

defines fractional interpretation of a bitvector 

bv_overf low 

relates overflow to top bits 


A graphical display of the import chain is shown in figure 1. 
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